Health care providers are subject to numerous state and federal laws addressing the use and disclosure of individual's health information.
The most far-reaching of these laws is the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA's Privacy Rule applies to protected health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses. HIPAA's Security Rule, addresses the confidentiality, integrity and availability of protected health information (PHI) in electronic form.
HIPAA applies to the University's covered components. This includes areas that access PHI in the course of providing support services to a covered area. It also impacts the use and disclosure of protected health information used for research purposes, as well as the activities of individuals or units operating as business associates for outside covered entities.
Areas of the campus not covered by HIPAA are still subject to numerous other state and federal laws relating to the confidentiality of health or patient information (e.g. see below FERPA and other laws). Questions or concerns relating to state or federal privacy laws may be addressed to the KU Privacy Office (Lawrence Campus), the Office of the General Counsel, or to the Vice Provost for Student Success.
Protected Health Information (PHI) is the core focus of HIPAA's Privacy Rule. PHI is defined as individually-identifiable information, created or received by a covered entity, that relates to the past, present, or future physical or mental health condition, the delivery of health care, or payment for health care. PHI can be electronic, paper, or oral. Practically speaking, PHI is found throughout the health care setting: in clinic charts, billing records, rounding lists, medical media, electronic databases, in conversation, faxes, and emails. There are strict guidelines under HIPAA regarding when PHI may be considered de-identified or no longer identifiable.
It is important to remember that HIPAA does not preempt or block many state laws relating to public health or state laws that provide patients with more stringent, or greater, privacy protections. In addition, HIPAA does not block certain Federal privacy laws such as the Family Educational Rights and Privacy Act (FERPA) and the federal law applicable to records of federally assisted substance abuse treatment programs. Thus, for example, where student treatment records are involved, Clinics (or “covered components”) covered by HIPAA must take steps to ensure that their practices are consistent with the requirements of FERPA.
HIPAA and other confidentiality laws require that we verify the identity and authority of individuals requesting information unless their identity and authority to access the information is known. Examples of acceptable verification include, but are not limited to, the following:
HIPAA's Privacy Rule requires that we take reasonable efforts to use and disclose only the Minimum Necessary amount of PHI appropriate to the situation. Individuals in a particular job category should only have access to the PHI that is needed to perform the duties of that job. An important exception to the Minimum Necessary standard applies to providers engaged in treatment. Providers and student health professionals may use whatever information is required to give care, including the entire medical record, when appropriate.
The Minimum Necessary standard also requires reasonable safeguards to minimize incidental uses and disclosures that might occur as a by-product of another permissible or required use or disclosure. Reasonable safeguards will vary depending upon the needs and circumstances of the facility or clinic, the nature of the PHI it holds, and the potential risks to privacy.
Under HIPAA, PHI may be used and disclosed in the context of treatment, payment, or internal health care operations (TPO) of a facility without written permission of the patient. However, other state or federal laws (such as FERPA) may require written permission from a patient at the University even in the contexts of treatment, payment or healthcare operations. Care must be taken to ensure that appropriate written permission for these types of uses and disclosures is obtained, using the consent form developed by your unit for this purpose.
In certain contexts other than treatment, payment or health care operations, HIPAA requires specific written authorizations prior to disclosure of PHI. Other state and Federal laws require use of a specific written authorization in many contexts. Authorization forms must comply with certain content and format requirements. Care must be taken to ensure that appropriate written authorization for these types of uses and disclosures is obtained, using the authorization form developed by your unit for this purpose.
Examples of situations where specific written authorizations are required include the following:
HIPAA and other state and federal confidentiality laws permit certain disclosures of health information without written permission of the patient. Examples include disclosures in the context of public health activities (such as reporting communicable diseases and vital statistics), certain law enforcement disclosures, disclosures for health oversight purposes (such as disclosures required by state licensing authorities), disclosures pursuant to a court order or subpoena, and disclosures made during a report of abuse to appropriate state officials. In certain of these contexts, additional requirements must be met prior to the disclosure. If your job duties involve the disclosure of health information in any of these contexts, additional information about these requirements must be obtained from your supervisor. Refer requests relating to an order of a court, subpoena, discovery request, or other legal process, to the University General Counsel's Office.
HIPAA and other laws provide privacy protections for research participants. Research projects involving the use or disclosure of PHI must comply with these requirements. Research projects submitted to the Human Subject Committee, Lawrence Campus (HSCL) will be reviewed to confirm that adequate privacy protections are in place. The review criteria depend on the type of research and the data being collected. For more information, you should consult the policies and procedures of the HSCL or contact the Human Subjects Committee–Lawrence Coordinator, at (785) 864-7429.
In many cases, Kansas law regarding the confidentiality of minors' health information will apply and parents will be permitted to exercise their minor's rights with respect to the minor's health information. However, there are important exceptions to this general rule. For example, disclosure of the treatment records of minor University students must comply with special rules under FERPA. If you deal with minors, you must familiarize yourself with the special rules for disclosing information about minors in your setting.
Generally speaking, disclosures to other University clinics, facilities, offices or departments must be treated as disclosures to a legally separate entity. In other words, unless such disclosures are expressly permitted by law, the transfer of PHI between such areas is permitted only to the same extent suchdisclosures are permitted to a separate non-University entity.
In some cases, a University Clinic or other area subject to HIPAA may need to disclose PHI to another area of the University that provides support services to the Clinic or department. These support areas are required to appropriately safeguard the PHI and are not permitted to use or disclose the PHI except as permitted by HIPAA. Access must be limited to that which is minimally necessary to provide the services. Special rules apply. You may obtain information regarding these rules from your supervisor or by contacting the KU Privacy Office (Lawrence Campus) at (785) 864-9528.
Under HIPAA, covered entities may disclose PHI to a Business Associate or permit the Business Associate to create or receive PHI on its behalf, in order to help the covered entity carry out its health care functions. If such disclosures are made, the unit must obtain prior satisfactory written assurances that the Business Associate will appropriately safeguard the information. These written assurances are called Business Associate Agreements. Examples of Business Associates include but are not limited to transcription services, consultants, third party billing or practice management companies, health care clearinghouses and accreditation bodies. Assistance with Business Associate Agreements may be obtained from the KU Privacy Office (Lawrence Campus) at (785) 864-9528.
Under HIPAA, patients have a number of rights regarding their PHI.
Clinics on the Lawrence Campus have implemented procedures and developed specific forms to administer patient and client rights. Familiarize yourself with the procedures and forms in place in your unit.
HIPAA requires covered health care providers to give patients a Notice of Privacy Practice or NPP. The NPP provides a plain language description of how PHI may be used and disclosed, the individual's rights with respect to the information, the provider's legal duties with respect to the information and who the individual can contact for further information. There are additional requirements regarding content and distribution.
You are responsible for knowing and complying with the NPP and specific privacy practices applicable where you work. Ensure that you read and familiarize yourself with the appropriate NPP for the area with which you are associated as well as reviewing the NPP whenever it is amended and at least annually.
Complaints, questions or concerns arising out of activities on the Lawrence Campus may be submitted to the unit where the question, concern or complaint arose, or to the KU Privacy Office (Lawrence Campus) at (785) 864-9528. Intimidation, retaliation or discrimination against a patient or any other individual for exercising their rights under applicable privacy laws, is strictly prohibited.
Employees, faculty and students are required to report breaches or suspected breaches and privacy or security violations involving electronic data (on KU systems or personal systems) or KU information systems to their supervisor and the KU Customer Service Center (formerly the IT Help Desk) at 785.864.8080. Other breaches or unauthorized disclosures not involving electronic data or KU information systems of PHI must be immediately reported to the KU Privacy Office, Lawrence Campus at (785) 864-9528. Steps must be taken to mitigate, to the extent practicable, the harmful effect of a use or disclosure of PHI in violation of University policies and procedures or the requirements of the Privacy Rule.
Violations of University policies and procedures, or laws regarding the confidentiality and privacy of health information may result in disciplinary action and other corrective measures. Investigations and determinations regarding disciplinary action and corrective measures will be made in accordance with the University's existing policies and procedures regarding such matters. In addition, violations may result in significant legal penalties, including fines and federal prison sentences for selling PHI or using it to harm someone, and additional liability under other state privacy laws.
Email Page
Print Page